Re: [qmailtoaster] Re: how to stop this

Tue, 15 Jan 2013 20:37:51 -0800 

On 1/15/2013 10:42 AM, Eric Shubert wrote:

On 01/14/2013 09:22 PM, David Milholen wrote:

Hello all,
  Been a long time since I ve been here to ask a question.
I am getting spam from localhost but its not my localhost..
How do I block this using spamdyke?
SMTP LOG
@4000000050f4d8b10021a73c tcpserver: pid 18003 from 222.254.188.144
@4000000050f4d8b100230e9c tcpserver: ok 18003 mx2:98.16.104.13:25
:222.254.188.144::50262
@4000000050f4d8b213e46264 CHKUSER accepted sender: from
<[email protected]::> remote <localhost:unknown:222.254.188.144> rcpt <> :
sender accepted
@4000000050f4d8b238806c94 CHKUSER accepted any rcpt: from
<[email protected]::> remote <localhost:unknown:222.254.188.144> rcpt
<[email protected]> : accepted any recipient for this domain
@4000000050f4d8b33170ce94 spamdyke[18003]: ALLOWED from: [email protected]
to: [email protected] origin_ip: 222.254.188.144 origin_rdns:
localhost auth: (unknown) encryption: (none) reason:
250_ok_1358223529_qp_18005

not sure how to stop localhost with out breaking something..
thanks
Dave


--

David Milholen
Project Engineer
P:501-318-1300


C'mon guys. Look closely at the log message:
remote <localhost:unknown:222.254.188.144>
The first part of this (localhost) is the rDNS name. This can be verified: 
shubes@edwin:~$ host 222.254.188.144
144.188.254.222.in-addr.arpa domain name pointer localhost.
shubes@edwin:~$
Kinda clever on the spammer's part actually, as many servers are configured to allow all email from localhost. 

So to block this one and others like it, add
localhost
to the blacklist_rdns file.
This might cause a problem with the stock QMT configuration of SquirrelMail though, since SM by default uses port 25 with no authentication. I plan to change this in the stock SM config at some point, but in the meantime you can simply change the /etc/squirrelmail/config_local.php file according to the wiki page here: 
http://wiki.qmailtoaster.com/index.php/Fetchmail

That should nail it for you.

BTW, thanks for the TIP:
Blacklist localhost in blacklist_rdns file!


Ok,
Looks like this is working for me and all I had to do is blacklist_rdns "localhost" 
eric and the gang :)
@4000000050f6371106792c54 spamdyke[13444]: DENIED_BLACKLIST_NAME from: [email protected] to: [email protected] origin_ip: 113.173.38.152 origin_rdns: localhost auth: (unknown) encryption: (none) reason: /etc/spamdyke/blacklist_rdns:1
I am beginning to think that it takes a clever spammer to get past what I have had to deal with over the years.. So Come at me BRO! 
LOL
thanks

Dave


--

David Milholen
Project Engineer
P:501-318-1300

Reply via email to